In this post, I’ll give an overview of Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10 EDP End User Experience. What is WIP/EDP? It is very important to understand that WIP is accidental Data Leakage protection solution by Microsoft. Windows 10 enterprise has loads of security enhancements. I think, Microsoft invested heavily on mainly on 3 pieces and those are 1. Secure Identities 2. Information Protection and 3. Threat Resistance. Windows Information Protection/EDP is part of Information Protection. Within information protection, Microsoft recommend to have 1. Encryption (Bit locker), 2. WIP/EDP and 3. Azure Information Protection (or RMS).

WIP/EDP is fully supported in Windows 10 anniversary edition (1607) which is released recently. We can use Intune standalone and SCCM CB 1606 to configure Windows Information Protection policies. Before implementing the WIP in your organization, it’s very important to find out which are the WIP enabled applications and we have to define which WIP mode the applications will be in Allow and Exempt.

Before I go into details, here is video tutorial to explain the configurations along with Windows 10 end user experience demo. I used Windows 10 Insider Build 14342 with Microsoft Intune.

Following are the quick steps to configure (Intune console) the Windows 10 EDP policies:-

Configure the list of Windows 10 Apps (Universal/Store or Desktop) which you wanted to protect through EDP
Select the EDP/WIP Mode of protection
Configure the Network locations/IP Range
Upload the Data Recovery certificates
EDP settings

Configure the list of Windows 10 Apps (Universal/store or Desktop) which you wanted to protect through EDP/WIP

There are two types of Apps in Intune console which we can configure Universal/Store and Desktop apps. To configure Windows 10 EDP/WIP policies, we need to first identify the applications which you wanted to protect via EDP policies. For that First thing we need to get the Publisher details and product name of the apps. How to get those information ?

Intune Console:-

SCCM Console :-

You can find the publisher and product name of store, desktop apps using Local Security Policy –> Application Control Policies –> App Locker –> Package app Rules.

Select the WIP/EDP Mode of protection

Which mode of protection you wanted select for EDP polciy – I selected the block mode !! The protection modes available in EDP policy are 1. Block 2.Override 3. Silent 4.Off

Configure the Network locations through EDP/WIP Policies

Network locations that the apps you configured can access. No other apps can access these locations. These network location settings are very important for EDP/WIP policy to work on Windows 10 machine !!

Configure WIP/EDP Data recovery agent cert

Configure WIP/EDP Data recovery agent cert is mandatory now !! The recommended way is to re-use the EFS DRA from your domain, when you have one. There are some other ways to create a test cert !!I have uploaded one as you can see in the below picture :-

Configure WIP/EDP Policy settings

WIP/EDP Settings – Last piece of WIP/EDP configuration in Intune. By default none of these settings are not enabled !!

Allow user to edit or decrypt data –> NO
Protect App content when the device is in locked state –> Yes

Windows 10 WIP/EDP – End User Experience

In my example here :-

WordPad is NOT EDP protected APP – I tried to copy the enterprise mail content to an unprotected app and it gave me the following error “This is work content only – your organization, PuneITPro.onmicrosoft.com, doesn’t allow you to change the ownership of this content from work to Personal“

Notepad is EDP Protected APP – I tried to copy the enterprise mail content to an WIP/EDP protected app (NOTEPAD) and it allowed me to copy the content. And you should notice the EDP lock symbol.

Anoop is Microsoft MVP and Veeam Vanguard ! He is a Solution Architect on enterprise client management with more than 16 years of experience (calculation done on the year 2014) in IT. He is Blogger, Speaker and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012,Current Branch, Intune. He writes about the technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc...

Hi there, apologies as I don’t think this is the right post for this but I’m trying to upgrade windows mobiles from 8.1 to 10 using SCCM CB hybrid. I’ve got the compliance policy that makes 10 available, however I’m trying to force the upgrade to go in. I don’t really want to get all the phones and click “upgrade”I just want them to do so when enrolled and they get the policy. Is there a way to do that please?

EDITOR'S PICK

Hi, I’m Anoop C Nair. I’m the person behind this website. Thank you for visiting the website and about me page! My website is all about Microsoft technologies. More about ConfigMgr (a.k.a SCCM), Intune, Mobile Device Management and all other technologies which are interesting for me. Read more about me here